Commit Graph

362 Commits

Author SHA1 Message Date
Fraser Tweedale
bc0c606885 Add CA ACL plugin
Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.

At this commit, and until sub-CAs are implemented, all rules refer
to the top-level CA (represented as ".") and no ca-ref argument is
exposed.

Also, during install and upgrade add a default CA ACL that permits
certificate issuance for all hosts and services using the profile
'caIPAserviceCert' on the top-level CA.

Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-11 10:50:31 +00:00
Petr Vobornik
99ce650b59 add entries required by topology plugin on update
These entries were not added on upgrade from old IPA servers and on replica
creation.

https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-06-11 12:10:40 +02:00
Petr Vobornik
7cf82cf9aa move replications managers group to cn=sysaccounts,cn=etc,$SUFFIX
https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-06-11 12:10:40 +02:00
Jan Cholasta
81729e22d3 vault: Move vaults to cn=vaults,cn=kra
https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-06-10 16:17:34 +00:00
Fraser Tweedale
979947f7f2 Add usercertificate attribute to user plugin
Part of: https://fedorahosted.org/freeipa/tickets/4938

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-04 08:27:33 +00:00
Fraser Tweedale
300b74fc7f Add certprofile plugin
Add the 'certprofile' plugin which defines the commands for managing
certificate profiles and associated permissions.

Also update Dogtag network code in 'ipapython.dogtag' to support
headers and arbitrary request bodies, to facilitate use of the
Dogtag profiles REST API.

Part of: https://fedorahosted.org/freeipa/ticket/57

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-04 08:27:33 +00:00
Rob Crittenden
a92328452d Add plugin to manage service constraint delegations
Service Constraints are the delegation model used by
ipa-kdb to grant service A to obtain a TGT for a user
against service B.

https://fedorahosted.org/freeipa/ticket/3644

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-03 09:47:40 +00:00
Martin Basti
943c539122 ULC: fix: upgrade for stage Stage User Admins failed
Upgrade failed because entry 'dn: cn=Stage User
Administrators,cn=privileges,cn=pbac,$SUFFIX' doesnt exist.

Now upgrade will create the privilege if it does not exist.

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-06-02 13:50:19 +00:00
Tomas Babej
f3010498af Add Domain Level feature
https://fedorahosted.org/freeipa/ticket/5018

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-05-26 11:59:47 +00:00
Ludwig Krispenz
4bcc2546d5 install part - manage topology in shared tree
https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-05-26 10:43:50 +02:00
Endi S. Dewata
fde21adcbd Added vault plugin.
A new plugin has been added to manage vaults. Test scripts have
also been added to verify the functionality.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-25 06:17:09 +00:00
Martin Basti
98e4c6d6de Uid uniqueness: fix: exclude compat tree from uniqueness
Without this commit it is not possible to move user to staged area.

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2015-05-22 15:41:41 +02:00
Martin Basti
fbdfd688b9 Server Upgrade: Fix uniqueness plugins
Due previous changes (in master branch only) the uniqueness plugins
became misconfigured.

After this patch:
* whole $SUFFIX will be checked by unique plugins
* just staged users are exluded from check

This reverts some changes in commit
52b7101c11

Since 389-ds-base 1.3.4.a1 new attribute 'uniqueness-exclude-subtrees'
can be used.

https://fedorahosted.org/freeipa/ticket/4921

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-05-19 12:45:41 +00:00
Thierry Bordaz
51937cc571 User life cycle: Stage user Administrators permission/priviledge
Creation of stage user administrator

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-05-18 09:37:21 +02:00
Thierry Bordaz
c9e1ad0dbc User life cycle: DNA DS plugin should exclude provisioning DIT
Set the DNAexcludescope on provisioning part of the DIT

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-05-18 09:37:21 +02:00
Thierry Bordaz
0ebcc5b922 User life cycle: new stageuser commands activate
Add plugin commands to stageuser plugin:
stageuser_activate: activate entries created by IPA CLIs

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-05-18 09:37:21 +02:00
Martin Basti
57fba7a56f Server Upgrade: fix memberUid index
https://fedorahosted.org/freeipa/ticket/5007

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-05-12 12:50:47 +02:00
Martin Basti
5783d0c832 Server Upgrade: remove CSV from upgrade files
CSV values are not supported in upgrade files anymore

Instead of

   add:attribute: 'first, part', second

please use

  add:attribute: firts, part
  add:attribute: second

Required for ticket: https://fedorahosted.org/freeipa/ticket/4984

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-11 16:08:01 +00:00
Petr Vobornik
4364ac08c5 speed up indirect member processing
the old implementation tried to get all entries which are member of group.
That means also user. User can't have any members therefore this costly
processing was unnecessary.

New implementation reduces the search only to entries which have members.

Also page size was removed to avoid paging by small pages(default size: 100)
which is very slow for many members.

https://fedorahosted.org/freeipa/ticket/4947

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-04-27 05:55:04 +00:00
Martin Basti
f24f614396 Server Upgrade: specify order of plugins in update files
* add 'plugin' directive
* specify plugins order in update files
* remove 'run plugins' options
* use ldapupdater API instance in plugins
* add update files representing former PreUpdate and PostUpdate order of plugins

https://fedorahosted.org/freeipa/ticket/4904

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-04-14 19:25:47 +02:00
Thierry bordaz (tbordaz)
d1691eee88 User life cycle: stageuser-add verb
Add a accounts plugin (accounts class) that defines
variables and methods common to 'users' and 'stageuser'.
accounts is a superclass of users/stageuser

Add the stageuser plugin, with support of stageuser-add verb.

Reviewed By: David Kupka, Martin Basti, Jan Cholasta

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-04-08 08:19:09 +02:00
root
6e00f73182 Limit deadlocks between DS plugin DNA and slapi-nis
Deadlock can occur if DNA plugin (shared) config and Schema-compat plugin config
	are updated at the same time.
	Schema-compat should ignore update on DNA config.

	https://fedorahosted.org/freeipa/ticket/4927

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-03-05 13:34:25 +00:00
Martin Basti
52b7101c11 Fix uniqueness plugins
* add uniqueness-subtree-entries-oc:posixAccount to ensure idviews users
will not be forced to have unique uid

* remove unneded update plugins -> update was moved to .update file

* add uniqueness-across-all-subtrees required by user lifecycle
management

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-05 12:43:35 +01:00
Martin Basti
4b2ec5468f Migrate uniquess plugins configuration to new style
New configuration style contains options required for user lifecycle
management.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-05 12:43:35 +01:00
Martin Kosek
251c97cf96 Replication Administrators cannot remove replication agreements
Replication agreement deletion requires read access to DNA range
setting. The read access was accidently removed during PermissionV2
refactoring.

Add the read ACI back as a special SYSTEM permission.

https://fedorahosted.org/freeipa/ticket/4848

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-01-20 16:52:53 +01:00
Martin Kosek
1537ac8138 Allow Replication Administrators manipulate Winsync Agreements
Replication Administrators members were not able to set up changelog5
entry in cn=config or list winsync agreements.

To allow reading winsync replicas, the original deny ACI cn=replica
had to be removed as it prevented admins from reading the entries,
but just anonymous/authenticated users.

https://fedorahosted.org/freeipa/ticket/4836

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-19 16:52:55 +01:00
Martin Kosek
6652c4eb2e Allow PassSync user to locate and update NT users
Add new PassSync Service privilege that have sufficient access to
let AD PassSync service search for NT users and update the password.
To make sure existing PassSync user keeps working, it is added as
a member of the new privilege.

New update plugin is added to add link to the new privilege to the
potentially existing PassSync user to avoid breaking the PassSync
service.

https://fedorahosted.org/freeipa/ticket/4837

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-19 16:49:27 +01:00
Martin Basti
bb405bd972 Fix: Upgrade forwardzones zones after adding newer replica
Patch fixes issue, when forwardzones has not been upgraded after adding
replica >=4.0 into topology with IPA 3.x servers.

Ticket: https://fedorahosted.org/freeipa/ticket/4818
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-01-09 13:30:37 +01:00
Nathaniel McCallum
9baa93da1c Make token auth and sync windows configurable
This introduces two new CLI commands:
  * otpconfig-show
  * otpconfig-mod

https://fedorahosted.org/freeipa/ticket/4511

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-12-05 13:42:19 +01:00
Martin Basti
2712b609cb Upgrade: fix trusts objectclass violationi
Execute updates in proper ordering.
Curently ldap-updater implementation doesnt allow better fix.

Ticket: https://fedorahosted.org/freeipa/ticket/4680
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-11-13 13:31:17 +01:00
Martin Basti
f62c7843ff Fix upgrade referint plugin
Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors.
Now old setting are migrated to new style setting before upgrade

Ticket: https://fedorahosted.org/freeipa/ticket/4622
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-11-13 13:26:34 +01:00
Thierry bordaz (tbordaz)
85eb17553f Deadlock in schema compat plugin (between automember_update_membership task and dse update)
Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the
	default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks.
	Schema plugin needs to scope the $SUFFIX and also any updates to its configuration.
	This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees
	that would be too long for cn=config (tasks, mapping tree, replication, snmp..)

https://fedorahosted.org/freeipa/ticket/4635

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-06 09:38:45 +01:00
Martin Basti
eb54814741 DNSSEC: DNS key synchronization daemon
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Martin Basti
c655b7bf76 Remove ipaContainer, ipaOrderedContainer objectclass
https://fedorahosted.org/freeipa/ticket/4646

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-20 16:58:16 +02:00
Alexander Bokovoy
bd98ab0356 Support idviews in compat tree
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-10-20 16:47:49 +02:00
Nathaniel McCallum
68825e7ac6 Configure IPA OTP Last Token plugin on upgrade
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-20 10:18:47 +02:00
Nathaniel McCallum
41bf0ba940 Create ipa-otp-counter 389DS plugin
This plugin ensures that all counter/watermark operations are atomic
and never decrement. Also, deletion is not permitted.

Because this plugin also ensures internal operations behave properly,
this also gives ipa-pwd-extop the appropriate behavior for OTP
authentication.

https://fedorahosted.org/freeipa/ticket/4493
https://fedorahosted.org/freeipa/ticket/4494

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-20 10:12:36 +02:00
Martin Kosek
588e7bc899 Remove changetype attribute from update plugin
The attribute addition had no effect, but it should not be there.
2014-10-17 12:02:25 +02:00
Ludwig Krispenz
08c3fe17ef Ignore irrelevant subtrees in schema compat plugin
For changes in cn=changelog or o=ipaca the scheam comapat plugin doesn't need to be
executed. It saves many internal searches and reduces contribution to lock
contention across backens in DS.

https://fedorahosted.org/freeipa/ticket/4586

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-10-14 11:00:43 +02:00
Tomas Babej
bba3769196 idviews: Update the referential plugin config to watch for ipaAssignedIDView
We need the referential plugin config to watch for changes in the ID view
objects, since hosts refer to them in ipaAssignedIDView attribute.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-09-30 10:42:06 +02:00
Tomas Babej
6b14030e90 idviews: Create container for ID views under cn=accounts
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-09-30 10:42:06 +02:00
Tomas Babej
1c022646d2 Set the default attributes for RootDSE
With 389 DS 1.3.3 upwards we can leverage the nsslapd-return-default-opattr
attribute to enumerate the list of attributes that should be returned
even if not specified explicitly. Use the behaviour to get the same attributes
returned from searches on rootDSE as in 1.3.1.

https://fedorahosted.org/freeipa/ticket/4288

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-24 10:02:44 +02:00
Petr Viktorin
d61fb40542 Update referential integrity config for DS 1.3.3
Hisorically DS provided defaults for the referential
integrity plugin in nsslapd-pluginArg*:

    nsslapd-pluginarg3: member
    nsslapd-pluginarg4: uniquemember
    nsslapd-pluginarg5: owner
    nsslapd-pluginarg6: seeAlso

In 389-ds 1.3.3, the multi-valued referint-membership-attr
is used instead.

The old way still works, but it requires that the values
are numbered consecutively, so IPA's defaults that started
with 7 were not taken into account.

Convert IPA defaults to use referint-membership-attr.

https://fedorahosted.org/freeipa/ticket/4537

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-12 17:42:08 +02:00
Ludwig Krispenz
ab196220fd Update SSL ciphers configured in 389-ds-base
use configuration parameters to enable ciphers provided by NSS
and not considered weak.
This requires 389-ds version 1.3.3.2 or later

https://fedorahosted.org/freeipa/ticket/4395

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-09-12 16:42:09 +02:00
Thierry bordaz (tbordaz)
7fc4f60c2f User Life Cycle: DNA scopes full SUFFIX
In patch 0001-3, the DNA plugins configuration was changed to scope only 'cn=accounts,SUFFIX'
This part of the fix was invalid as trust domain object (that need uid/gid allocation)
are under 'cn=trust,SUFFIX'. Revert that part of the fix.
Waiting on https://fedorahosted.org/389/ticket/47828, to exclude provisioning contains

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-01 08:16:44 +02:00
Thierry bordaz (tbordaz)
04ea75a7a5 User Life Cycle: create containers and scoping DS plugins
User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management
It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging
containers needs to be created.
		Active: cn=users,cn=accounts,$SUFFIX
		Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
		Stage:  cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX

Plugins scopes:
		krbPrincipalName, krbCanonicalName, ipaUniqueID, uid:
			cn=accounts,SUFFIX
			cn=deleted users,cn=accounts,cn=provisioning,SUFFIX
		DNA:
			cn=accounts,SUFFIX

		Plugins exclude subtree:
		IPA UUID, Referential Integrity, memberOf:
			cn=provisioning,SUFFIX

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-08-19 09:48:20 +02:00
Jan Cholasta
586373cf07 Add permissions for certificate store.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
fd80cc1c59 Configure attribute uniqueness for certificate store.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
1c612ad3e1 Add container for certificate store.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
1778f0ebc9 Allow IPA master hosts to read and update IPA master information.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
73d8db6d92 Allow IPA master hosts to update CA certificate in LDAP.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Martin Kosek
15eb343b9c Allow hashed passwords in DS
Without nsslapd-allow-hashed-passwords being turned on, user password
migration fails.

https://fedorahosted.org/freeipa/ticket/4450

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-07-25 10:36:47 +02:00
Tomas Babej
b7a1401e9d trusts: Make cn=adtrust agents sysaccount nestedgroup
Since recent permissions work references this entry, we need to be
able to have memberOf attributes created on this entry. Hence we
need to include the nestedgroup objectclass.

https://fedorahosted.org/freeipa/ticket/4433

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-07-18 10:08:04 +02:00
Petr Viktorin
23feb4e027 Allow read access to services in cn=masters to auth'd users
https://fedorahosted.org/freeipa/ticket/4425

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-07-04 15:58:14 +02:00
Martin Basti
3461be5c78 Fix: Missing ACI for records in 40-dns.update
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-07-04 12:27:24 +02:00
Martin Basti
30551a8aa3 Add NSEC3PARAM to zone settings
Ticket: https://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-07-02 14:54:41 +02:00
Martin Basti
ff7b44e3b0 Remove NSEC3PARAM record
Revert 5b95be802c

Ticket: https://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-07-02 14:54:41 +02:00
Martin Basti
c655aa2832 Fix ACI in DNS
Added ACI for idnssecinlinesigning, dlvrecord, nsec3paramrecord,
tlsarecord

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-07-01 12:43:55 +02:00
Petr Viktorin
d1ede20680 Allow admins to write krbLoginFailedCount
Without write access to this attribute, admins could not unlock users.

https://fedorahosted.org/freeipa/ticket/4409

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-07-01 10:02:02 +02:00
Simo Sorce
5c0e7a5fb4 keytab: Add new extended operation to get a keytab.
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.

Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.

For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:

(targetattr="ipaProtectedOperation;read_keys") ...
 ... userattr=ipaAllowedToPerform;read_keys#USERDN)

This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Tomas Babej
b1275c5b1c sudorule: Enforce category ALL checks on dirsrv level
https://fedorahosted.org/freeipa/ticket/4341

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:51 +02:00
Tomas Babej
3a56b155e8 sudorule: Make sure sudoRunAsGroup is dereferencing the correct attribute
Makes sure we dereference the correct attribute. Also adds object class
checking.

https://fedorahosted.org/freeipa/ticket/4324

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:50 +02:00
Tomas Babej
9304b649a3 sudorule: Allow using external groups as groups of runAsUsers
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.

https://fedorahosted.org/freeipa/ticket/4263

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:49 +02:00
Tomas Babej
a228d7a3cb sudorule: Allow using hostmasks for setting allowed hosts
Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host
commands, which allows setting a range of hosts specified by a hostmask.

https://fedorahosted.org/freeipa/ticket/4274

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:49 +02:00
Tomas Babej
c2e6b74029 trusts: Allow reading system trust accounts by adtrust agents
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-25 15:01:52 +02:00
Petr Viktorin
52003a9ffb Convert Sudo Command Group default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
6b478628dc Convert Sudo Command default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
f8dc51860c Convert SELinux User Map default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
8e8e6b1ae7 Convert HBAC Service Group default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
49abbb1ead Convert HBAC Service default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
81d8c8acb5 Convert HBAC Rule default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
af366278b8 Convert Group default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
afac09b8f3 Convert Automount default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Jan Cholasta
d6fb110b77 Support requests with SAN in cert-request.
For each SAN in a request there must be a matching service entry writable by
the requestor. Users can request certificates with SAN only if they have
"Request Certificate With SubjectAltName" permission.

https://fedorahosted.org/freeipa/ticket/3977

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 12:10:01 +02:00
Petr Viktorin
8a5110305f Convert Host default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-23 12:44:32 +02:00
Petr Viktorin
f486d23ad6 Allow anonymous read access to virtual operation entries
These entries are the same in all IPA installations, so there's
no need to hide them.

Also remove the ipaVirtualOperation objectclass, since it is
no longer needed.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-20 22:18:43 +02:00
Petr Viktorin
18744d1833 Fix: Allow read access to masters, but not their services, to auth'd users
Fixes commit b243da415e

A bad version of the patch was sent and pushed.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-19 17:13:03 +02:00
Petr Viktorin
b243da415e Allow read access to masters, but not their services, to auth'd users
The ipa host-del command checks if the host to be deleted is an
IPA master by looking up the entry in cn=masters.
If the entry is not accessible, host-del would proceed to delete
the host.
Thus we need to allow reading the master entries to at least
those that can delete hosts.
Since the host information is also available via DNS, it makes
no sense be extremely secretive about it.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-19 16:46:29 +02:00
Petr Viktorin
49e83256b4 Convert Password Policy default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:56:43 +02:00
Petr Viktorin
ca465e8ae7 Convert COSTemplate default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:56:42 +02:00
Petr Viktorin
853b6ef4ce Convert DNS default permissions to managed
Convert the existing default permissions.

The Read permission is split between Read DNS Entries and Read
DNS Configuration.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:45:50 +02:00
Nathaniel McCallum
98851256f9 Add support for managedBy to tokens
This also constitutes a rethinking of the token ACIs after the introduction
of SELFDN support.

Admins, as before, have full access to all token permissions.

Normal users have read/search/compare access to all of the non-secret data
for tokens assigned to them, whether managed by them or not. Users can add
tokens if, and only if, they will also manage this token.

Managers can also read/search/compare tokens they manage. Additionally,
they can write non-secret data to their managed tokens and delete them.

When a normal user self-creates a token (the default behavior), then
managedBy is automatically set. When an admin creates a token for another
user (or no owner is assigned at all), then managed by is not set. In this
second case, the token is effectively read-only for the assigned owner.

This behavior enables two important other behaviors. First, an admin can
create a hardware token and assign it to the user as a read-only token.
Second, when the user is deleted, only his self-managed tokens are deleted.
All other (read-only) tokens are instead orphaned. This permits the same
token object to be reasigned to another user without loss of any counter
data.

https://fedorahosted.org/freeipa/ticket/4228
https://fedorahosted.org/freeipa/ticket/4259

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-06-16 10:13:59 +02:00
Petr Viktorin
53a63ae346 Convert User default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-10 13:55:56 +02:00
Petr Viktorin
91a5aecd48 Convert Sudo rule default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-04 17:34:18 +02:00
Petr Viktorin
93ad23912e Add read permissions for automember tasks
Permission to read all tasks is given to high-level admins.
Managed permission for automember tasks is given to automember task admins.
"targetattr=*" is used because tasks are extensibleObject with
attributes that aren't in the schema.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-02 13:04:59 +02:00
Petr Viktorin
193ced0bd7 Remove the global anonymous read ACI
Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:14:55 +02:00
Petr Viktorin
86f943ca18 Replace "replica admins read access" ACI with a permission
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.

https://fedorahosted.org/freeipa/ticket/3829

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-21 09:57:16 +02:00
Petr Viktorin
99691d1171 aci-update: Add ACI for read-only admin attributes
Most admin access is granted with the "Admin can manage any entry" ACI,
but before the global anonymous read ACI is removed, read-only admin
access must be explicitly given.
Add an ACI for read-only attributes.

https://fedorahosted.org/freeipa/ticket/4319

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-25 14:06:08 +02:00
Petr Viktorin
223e6dc3f7 aci-update: Trim the admin write blacklist
These attributes are removed from the blacklist, which means
high-level admins can now modify them:

- krbPrincipalAliases
- krbPrincipalType
- krbPwdPolicyReference
- krbTicketPolicyReference
- krbUPEnabled
- serverHostName

The intention is to only blacklist password attributes and attributes
that are managed by DS plugins.

Also, move the admin ACIs from ldif and trusts.update to aci.update.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-25 14:06:08 +02:00
Petr Viktorin
d893b77fb6 Add several managed read permissions under cn=etc
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 14:36:41 +02:00
Petr Viktorin
1389567ec5 Extend anonymous read ACI for containers
- Allow cn=etc,$SUFFIX with these exceptions:
  - cn=masters,cn=ipa,cn=etc,$SUFFIX
  - virtual operations
  - cn=replicas,cn=ipa,cn=etc,$SUFFIX
- Disallow anonymous read access to Kerberos password policy

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 11:19:51 +02:00
Petr Viktorin
baa72b68b1 Add a new ipaVirtualOperation objectClass to virtual operations
The entries are moved from the ldif file to an update file.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 11:19:51 +02:00
Petr Viktorin
1e46c0a361 Add managed read permissions to automember
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-17 12:38:50 +02:00
Petr Viktorin
5c8548a4ad Allow anonymous read access to Kerberos containers
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-16 16:10:43 +02:00
Petr Viktorin
b53f2d28fd Add managed read permissions to krbtpolicy
Unlike other objects, the ticket policy is stored in different
subtrees: global policy in cn=kerberos and per-user policy in
cn=users,cn=accounts.
Add two permissions, one for each location.

Also, modify tests so that adding new permissions in cn=users
doesn't cause failures.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
2014-04-16 16:10:43 +02:00
Petr Viktorin
f10ec17c03 Add managed read permissions to pwpolicy and cosentry
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-14 12:05:40 +02:00
Petr Viktorin
a185d45d87 Add managed read permissions to RBAC objects
Add default read permissions to roles, privileges and permissions.
Also add permission to read ACIs. This is required for legacy permissions.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
2014-04-11 10:17:41 +02:00
Petr Viktorin
0e659983a6 Allow anonymous read access to containers
All nsContainer objects, except ones in cn=etc, can now be read anonymously.
The allowed attributes are cn and objectclass.
These are the same in all IPA installations so they don't provide
any sensitive information.

Also, $SUFFIX itself can now be read anonymously.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-08 10:34:16 +02:00
Alexander Bokovoy
ad6480f845 schema-compat: set precedence to 49 to allow OTP binds over compat tree
schema-compat plugin rewrites bind DN to point to the original entry
on LDAP bind operation. To work with OTP tokens this requires that
schema-compat's pre-bind callback is called before pre-bind callback of
the ipa-pwd-extop plugin. Therefore, schema-compat plugin should have
a nsslapd-pluginprecedence value lower than (default) 50 which is used
by the ipa-pwd-extop plugin.

Note that this will only work if ticket 47699 is fixed in 389-ds.

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-04-04 08:45:43 +02:00
Martin Kosek
b3c2197b7e Update Dogtag 9 database during replica installation
When Dogtag 10 based FreeIPA replica is being installed for a Dogtag 9
based master, the PKI database is not updated and miss several ACLs
which prevent some of the PKI functions, e.g. an ability to create
other clones.

Add an update file to do the database update. Content is based on
recommendation from PKI team:
   * https://bugzilla.redhat.com/show_bug.cgi?id=1075118#c9

This update file can be removed when Dogtag database upgrades are done
in PKI component. Upstream tickets:
   * https://fedorahosted.org/pki/ticket/710 (database upgrade framework)
   * https://fedorahosted.org/pki/ticket/906 (checking database version)

Also make sure that PKI service is restarted in the end of the installation
as the other services to make sure it picks changes done during LDAP
updates.

https://fedorahosted.org/freeipa/ticket/4243

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-14 14:26:38 +01:00
Nathaniel McCallum
abb63ed9d1 Add HOTP support
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-21 10:26:02 +01:00
Nathaniel McCallum
a91c0972b9 Update ACIs to permit users to add/delete their own tokens
https://fedorahosted.org/freeipa/ticket/4087

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-13 19:43:29 +01:00
Petr Spacek
04627b72d6 Limit memberOf and refInt DS plugins to main IPA suffix.
This drastically improves performance of retro changelog trimming.

https://fedorahosted.org/freeipa/ticket/3967
2014-01-27 14:40:36 +01:00
Martin Kosek
48ffe39b6b sudoOrder missing in sudoers
sudoers compat plugin configuration missed the sudoOrder attribute
and it thus did not show up in ou=sudoers. Add the definion to update
file.

https://fedorahosted.org/freeipa/ticket/4107
2014-01-15 11:00:35 +01:00
Ana Krivokapic
689382dc83 Enable Retro Changelog and Content Synchronization DS plugins
Enable Retro Changelog and Content Synchronization DS plugins which are required
for SyncRepl support.

Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+.

https://fedorahosted.org/freeipa/ticket/3967
2014-01-14 16:37:56 +01:00
Tomas Babej
3e1386a57e acl: Remove krbPrincipalExpiration from list of admin's excluded attrs
Since we're exposing the krbPrincipalExpiration attribute for direct
editing in the CLI, remove it from the list of attributes that
admin cannot edit by default.

Part of: https://fedorahosted.org/freeipa/ticket/3306
2014-01-14 15:22:27 +01:00
Nathaniel McCallum
4cb2c2813d Add RADIUS proxy support to ipalib CLI
https://fedorahosted.org/freeipa/ticket/3368
2013-12-03 14:49:10 +01:00
Petr Viktorin
d9a1c09e7c Remove schema modifications from update files
As schema is now handled by the schema updater, these entries
are superfluous.

https://fedorahosted.org/freeipa/ticket/3454
2013-11-18 16:54:21 +01:00
Ana Krivokapic
dfea5989f7 Add a privilege and a permission needed for automember rebuild command
Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership
https://fedorahosted.org/freeipa/ticket/3752
2013-11-15 12:46:06 +01:00
Nathaniel McCallum
3f85f09a83 Add support for managing user auth types
https://fedorahosted.org/freeipa/ticket/3368
2013-11-08 12:48:15 +01:00
Martin Kosek
44d1886d39 Remove deprecated AllowLMhash config
Remove this ipaConfigString value as LM hash is deprecated and in
fact even insecure.

https://fedorahosted.org/freeipa/ticket/3795
2013-11-01 09:30:10 +01:00
Martin Kosek
cdd2e9caff Do not add kadmin/changepw ACIs on new installs
These ACI were needed when FreeIPA had a custom ipa_kpasswd daemon,
now that a standard kadmin is used, ACIs are not needed anymore as
kadmin uses the same driver as the KDC.

The ACIs is not removed on upgrades to avoid breaking older
replicas which may still use FreeIPA version with the ipa_kpasswd
daemon.

https://fedorahosted.org/freeipa/ticket/3987
2013-10-25 15:26:51 +02:00
Martin Kosek
b1451373c4 Remove faulty DNS memberOf Task
This task was added with a DN colliding with privilege update memberOf
task being run later and caused this task to be ineffective and thus
miss some privilege membership, like "SELinux User Map Administrators"

DNS update plugin do not need to run any task at all as privileges
will be updated later in scope of 55-pbacmemberof.update

https://fedorahosted.org/freeipa/ticket/3877
2013-10-04 14:30:13 +02:00
Alexander Bokovoy
9cf8ec79c9 ipa-sam: do not modify objectclass when trust object already created
When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.

Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.
2013-09-20 09:59:02 +02:00
Martin Kosek
f5ef2fb146 Increase default SASL buffer size
Default SASL buffer size was too small and could lead for example to
migration errors.

https://fedorahosted.org/freeipa/ticket/3826
2013-08-07 14:13:56 +02:00
Rob Crittenden
198d82d4ce Add Camellia ciphers to allowed list.
https://fedorahosted.org/freeipa/ticket/3749
2013-07-18 10:49:38 +03:00
Nathaniel McCallum
d5c1b18bcc Fix for small syntax error in OTP schema
https://fedorahosted.org/freeipa/ticket/3765
2013-07-11 12:39:29 +03:00
Jan Cholasta
a209bb38aa Add missing equality index for ipaUniqueId.
https://fedorahosted.org/freeipa/ticket/3743
2013-07-11 12:39:26 +03:00
Jan Cholasta
a10521a1dc Add missing substring indices for attributes managed by the referint plugin.
The referint plugin does a substring search on these attributes each time an
entry is deleted, which causes a noticable slowdown for large directories if
the attributes are not indexed.

https://fedorahosted.org/freeipa/ticket/3706
2013-07-11 12:39:26 +03:00
Jan Cholasta
ea7db35b62 Enable SASL mapping fallback.
Assign a default priority of 10 to our SASL mappings.

https://fedorahosted.org/freeipa/ticket/3330
2013-06-27 17:06:51 +02:00
Tomas Babej
ddb3957011 Add ipaRangeType attribute to LDAP Schema
This adds a new LDAP attribute ipaRangeType with
OID 2.16.840.1.113730.3.8.11.41 to the LDAP Schema.

ObjectClass ipaIDrange has been altered to require
ipaRangeType attribute.

Part of https://fedorahosted.org/freeipa/ticket/3647
2013-06-10 12:27:33 +03:00
Tomas Babej
bcf8ab24d5 Do not check userPassword with 7-bit plugin
Default list of attributes that are checked with 7-bit plugin
for being 7-bit clean includes userPassword. Consecutively, one
is unable to set passwords that contain non-ascii characters.

https://fedorahosted.org/freeipa/ticket/3640
2013-06-06 18:12:50 +02:00
Nathaniel McCallum
cb68935435 Add IPA OTP schema and ACLs
This commit adds schema support for two factor authentication via
OTP devices, including RADIUS or TOTP. This schema will be used
by future patches which will enable two factor authentication
directly.

https://fedorahosted.org/freeipa/ticket/3365
http://freeipa.org/page/V3/OTP
2013-05-17 09:30:51 +02:00
Nathaniel McCallum
bc26d87b34 Add ipaUserAuthType and ipaUserAuthTypeClass
This schema addition will be useful for future commits. It allows us to
define permitted external authentication methods on both the user and
global config. The implementation is generic, but the immediate usage
is for otp support.

https://fedorahosted.org/freeipa/ticket/3365
http://freeipa.org/page/V3/OTP
2013-05-17 09:30:51 +02:00
Petr Viktorin
d4a0fa34af Fix syntax errors in schema files
- add missing closing parenthesis in idnsRecord declaration
- remove extra dollar sign from ipaSudoRule declaration
- handle missing/extraneous X-ORIGIN lines in 10-selinuxusermap.update

This does not use the schema updater because the syntax needs to be
fixed in the files themselves, otherwise 389 1.3.2+ will fail
to start.
Older DS versions transparently fix the syntax errors.

The existing ldap-updater directive for ipaSudoRule is fixed
(ldap-updater runs after upgradeconfig).

https://fedorahosted.org/freeipa/ticket/3578
2013-04-26 11:15:16 -04:00
Petr Viktorin
e9863e3fe3 Fix syntax of the dc attributeType
dc syntax is changed from Directory String to IA5 String to conform
to RFC 2247.

Part of the work for https://fedorahosted.org/freeipa/ticket/3578
2013-04-26 11:13:52 -04:00
Martin Kosek
5af2e1779a Add userClass attribute for hosts
This new freeform host attribute will allow provisioning systems
to add custom tags for host objects which can be later used for
in automember rules or for additional local interpretation.

Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
Ticket: https://fedorahosted.org/freeipa/ticket/3583
2013-04-26 10:20:17 -04:00
Ana Krivokapic
4cff518517 Add missing permissions to Host Administrators privilege
The 'Host Administrators' privilege was missing two permissions
('Retrieve Certificates from the CA' and 'Revoke Certificate'), causing
the inability to remove a host with a certificate.

https://fedorahosted.org/freeipa/ticket/3585
2013-04-24 14:35:22 -04:00
Tomas Babej
75f0801324 Add nfs:NONE to default PAC types only when needed
We need to add nfs:NONE as a default PAC type only if there's no
other default PAC type for nfs. Adds a update plugin which
determines whether default PAC type for nfs is set and adds
nfs:NONE PAC type accordingly.

https://fedorahosted.org/freeipa/ticket/3555
2013-04-15 14:46:21 +02:00
Rob Crittenden
8377f4e92f Apply LDAP update files in blocks of 10, as originally designed.
In order to have control over the order that updates are applied
a numbering system was created for the update files. These values
were not actually used.

The updates were sorted by DN length and in most cases this was
adequate for proper function. The exception was with roles where
in some cases a role was added as a member of a permission before
the role itself was added so the memberOf value was never created.

Now updates are computed and applied in blocks of 10.

https://fedorahosted.org/freeipa/ticket/3377
2013-04-12 10:16:01 -04:00
Petr Viktorin
74abb432fb Remove 'cn' attribute from idnsRecord and idnsZone objectClasses
A commonName attribute has no meaning in DNS records.

https://fedorahosted.org/freeipa/ticket/3514
2013-04-10 13:56:11 +02:00
Martin Kosek
81be28d6bd Change CNAME and DNAME attributes to single valued
These DNS attributeTypes are of a singleton type, update LDAP schema
to reflect it.

https://fedorahosted.org/freeipa/ticket/3440
https://fedorahosted.org/freeipa/ticket/3450
2013-04-02 17:11:46 +02:00
Jan Cholasta
5f26d2c6db Add Kerberos ticket flags management to service and host plugins.
https://fedorahosted.org/freeipa/ticket/3329
2013-03-29 16:34:46 +01:00
Martin Kosek
b5b040e68f Configure ipa_dns DS plugin on install and upgrade
The plugin is configured unconditionally (i.e. does not check if
IPA was configured with DNS) as the plugin is needed on all
replicas to prevent objectclass violations due to missing SOA
serial in idnsZone objectclass. The violation could happen if just
one replica configured DNS and added a new zone.

https://fedorahosted.org/freeipa/ticket/3347
2013-03-22 14:31:22 +01:00
Rob Crittenden
9005b9bc8a Extend ipa-replica-manage to be able to manage DNA ranges.
Attempt to automatically save DNA ranges when a master is removed.
This is done by trying to find a master that does not yet define
a DNA on-deck range. If one can be found then the range on the deleted
master is added.

If one cannot be found then it is reported as an error.

Some validation of the ranges are done to ensure that they do overlap
an IPA local range and do not overlap existing DNA ranges configured
on other masters.

http://freeipa.org/page/V3/Recover_DNA_Ranges

https://fedorahosted.org/freeipa/ticket/3321
2013-03-13 10:32:36 -04:00
Petr Viktorin
91606e6679 Change DNA magic value to -1 to make UID 999 usable
Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.

For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.

Tests included

https://fedorahosted.org/freeipa/ticket/2886
2013-03-11 17:07:07 +01:00
Sumit Bose
2d90724a7e Add NFS specific default for authorization data type
Since the hardcoded default fpr the NFS service was removed the default
authorization data type is now set in the global server configuration.

https://fedorahosted.org/freeipa/ticket/2960
2013-03-08 10:46:00 +01:00
Jan Cholasta
54080f46b0 Remove disabled entries from sudoers compat tree.
The removal is triggered by generating an invalid RDN when ipaEnabledFlag of
the original entry is FALSE.

https://fedorahosted.org/freeipa/ticket/3437
2013-03-06 16:08:20 +01:00
Martin Kosek
4a6f3cac29 Remove ORDERING for IA5 attributeTypes
IA5 string syntax does not have a compatible ORDERING matching rule.
Simply use default ORDERING for these attributeTypes as we already
do in other cases.

https://fedorahosted.org/freeipa/ticket/3398
2013-02-27 12:47:04 +01:00
Rob Crittenden
49beb8cd3a Add missing v3 schema on upgrades, fix typo in schema.
Add mising ipaExternalMember attribute and ipaExternalGroup objectclass.

Replacing mis-spelled ORDERING value on new install and upgrades.

https://fedorahosted.org/freeipa/ticket/3398
2013-02-22 13:30:59 +01:00
Petr Viktorin
981c9f10ee Update sudocmd ACIs to use targetfilter
Sudo commands created in the past have the sudocmd in their RDN, while
the new case-sensitive ones have ipaUniqueID. In order for permissions
to apply to both of these, use a targetfilter for objectclass=ipasudocmd
instead of sudocmd=* in the target.
2013-02-20 17:35:20 +01:00
Ana Krivokapic
3253a30541 Add list of domains associated to our realm to cn=etc
Add new LDAP container to store the list of domains associated with IPA realm.
Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow
manipulation of the list of realm domains.
Unit test file covering these new commands was added.

https://fedorahosted.org/freeipa/ticket/2945
2013-02-19 14:15:46 +02:00
Martin Kosek
d4d19ff423 Add SID blacklist attributes
Update our LDAP schema and add 2 new attributes for SID blacklist
definition. These new attributes can now be set per-trust with
trustconfig command.

https://fedorahosted.org/freeipa/ticket/3289
2013-02-12 10:37:34 +01:00
Petr Viktorin
b27267b00a Don't add another nsDS5ReplicaId on updates if one already exists
Modify update file to use default: rather than add: in
cn=replication,cn=etc,$SUFFIX.

Drop quotes around nsDS5ReplicaRoot because default: values
are not parsed as CSV.

https://fedorahosted.org/freeipa/ticket/3394
2013-02-06 12:22:00 +01:00
Ana Krivokapic
3bd96ddf05 Add crond as a default HBAC service
Ticket: https://fedorahosted.org/freeipa/ticket/3215
2013-01-17 09:50:48 -05:00
Rob Crittenden
f1f1b4e7f2 Enable transactions by default, make password and modrdn TXN-aware
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.

Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).

Fix some unit tests that are failing because we actually get the data
now due to transactions.

Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.

Deprecate wait_for_attr code.

Add a memberof fixup task for roles.

https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
2012-11-21 14:55:12 +01:00
Rob Crittenden
7c2eb48850 Set MLS/MCS for user_u context to what will be on remote systems.
The user_u context in the default list was broader than is actually
configured by default on systems.

https://fedorahosted.org/freeipa/ticket/3224
2012-11-02 10:17:51 -04:00
Rob Crittenden
ea4f60b15a Explicitly disable betxn plugins for the time being.
This should work with 389-ds-base 1.2.x and 1.3.0.

Without other plugin changes 389-ds-base can deadlock.

https://fedorahosted.org/freeipa/ticket/3046
2012-10-10 20:24:10 -04:00
Alexander Bokovoy
0840b588d7 Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-install
Since CIFS principal is generated by ipa-adtrust-install and is only
usable after setting CIFS configuration, there is no need to include it
into default setup.

This should fix upgrades from 2.2 to 3.0 where CIFS principal does not
exist by default.

https://fedorahosted.org/freeipa/ticket/3041
2012-10-09 18:15:01 -04:00
Rob Crittenden
96decfea26 Add uniqueness plugin configuration for sudorule cn
We do a search looking for duplicate values but this leaves open the
possibility that two adds are happening at the same time so both
searches return NotFound therefore we get two entries with the same
cn value.

https://fedorahosted.org/freeipa/ticket/3017
2012-10-08 18:32:41 -04:00